Merge pull request #1388 from brendandburns/auth

Add a script for generating CA signed certs, and a client cert.
2025-07-24 20:24:09 +00:00 · 2014-09-23 11:48:15 -07:00 · 2014-09-23 11:48:15 -07:00 · 8efa45b64d
commit 8efa45b64d
parent 6df5afb88e d38b498b0f
2 changed files with 68 additions and 9 deletions
--- a/cluster/saltbase/salt/nginx/init.sls
+++ b/cluster/saltbase/salt/nginx/init.sls
@ -10,14 +10,33 @@ nginx:
      - file: /usr/share/nginx/htpasswd
      - cmd: /usr/share/nginx/server.cert

+{% if grains.cloud == 'gce' %}
+  {% set cert_ip='_use_gce_external_ip_' %}
+{% endif %}
+{% if grains.cloud == 'vagrant' %}
+  {% set cert_ip=grains.fqdn_ip4 %}
+{% endif %}
+# If there is a pillar defined, override any defaults.
+{% if pillar['cert_ip'] is defined %}
+  {% set cert_ip=pillar['cert_ip'] %}
+{% endif %}
+
+{% set certgen="make-cert.sh" %}
+{% if cert_ip is defined %}
+  {% set certgen="make-ca-cert.sh" %}
+{% endif %}
+
 /usr/share/nginx/server.cert:
  cmd.script:
-    - source: salt://nginx/make-cert.sh
+    - unless: test -f /usr/share/nginx/server.cert
+    - source: salt://nginx/{{certgen}} 
+{% if cert_ip is defined %}
+    - args: {{cert_ip}}
+{% endif %}
    - cwd: /
    - user: root
    - group: root
    - shell: /bin/bash
-    - stateful: True

 /etc/nginx/nginx.conf:
  file:
@ -45,10 +64,3 @@ nginx:
    - group: root
    - mode: 644

-/usr/share/nginx/make-cert.sh:
-  file:
-    - managed
-    - source: salt://nginx/make-cert.sh
-    - user: root
-    - group: root
-    - mode: 755
--- a/cluster/saltbase/salt/nginx/make-ca-cert.sh
+++ b/cluster/saltbase/salt/nginx/make-ca-cert.sh
@ -0,0 +1,47 @@
+#!/bin/bash
+
+# Copyright 2014 Google Inc. All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+cert_ip=$1
+
+# TODO: Add support for discovery on other providers?
+if [ "$cert_ip" == "_use_gce_external_ip_" ]; then
+  cert_ip=$(curl -s -H Metadata-Flavor:Google http://metadata.google.internal./computeMetadata/v1/instance/network-interfaces/0/access-configs/0/external-ip)
+fi  
+
+tmpdir=$(mktemp -d --tmpdir kubernetes_cacert.XXXXXX)
+trap 'rm -rf "${tmpdir}"' EXIT
+cd "${tmpdir}"
+
+# TODO: For now, this is a patched repo that makes subject-alt-name work, when the fix is upstream
+#  move back to the upstream easyrsa
+curl -L -J -O https://github.com/brendandburns/easy-rsa/archive/master.tar.gz > /dev/null 2>&1
+tar xzf easy-rsa-master.tar.gz > /dev/null 2>&1
+
+cd easy-rsa-master/easyrsa3
+./easyrsa init-pki > /dev/null 2>&1
+./easyrsa --batch build-ca nopass > /dev/null 2>&1
+./easyrsa --subject-alt-name=IP:$cert_ip build-server-full kubernetes-master nopass > /dev/null 2>&1
+./easyrsa build-client-full kubecfg nopass > /dev/null 2>&1
+cp pki/issued/kubernetes-master.crt /usr/share/nginx/server.cert > /dev/null 2>&1
+cp pki/private/kubernetes-master.key /usr/share/nginx/server.key > /dev/null 2>&1
+cp pki/ca.crt /usr/share/nginx/ca.crt
+cp pki/issued/kubecfg.crt /usr/share/nginx/kubecfg.crt
+cp pki/private/kubecfg.key /usr/share/nginx/kubecfg.key
+